Privacy Policy

Last updated: April 23, 2026

Voxilo (operated by CraftsmenLeads LLC, a Wyoming limited liability company; together, "Voxilo," "we," "us," or "our") operates the voxilo.ai website and the Voxilo AI voice agent platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you interact with our Service.

SMS / Mobile Messaging Privacy

CraftsmenLeads operates an SMS messaging program for users who have affirmatively opted in through the consent form at https://www.craftsmenleads.com/support/phone. This section describes how mobile information collected through that program is handled.

What mobile information we collect

When you opt in to SMS, we collect:

  • Your mobile phone number
  • Your explicit SMS consent (timestamp, IP address, and the exact consent text you agreed to, stored verbatim)
  • Messages sent and received between you and CraftsmenLeads or the contractor you contacted
  • SMS delivery metadata (delivery status, timestamps, carrier responses)

How we use mobile information

Mobile information is used exclusively to:

  • Respond to your service inquiry via SMS
  • Deliver scheduling and dispatch updates related to your specific inquiry
  • Route messages between you and the home-service contractor you are contacting
  • Send HELP-response messages when you reply HELP
  • Confirm opt-out when you reply STOP

Mobile information non-sharing clause

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. This includes phone numbers, SMS opt-in status, and any consent data. Mobile opt-in information is excluded from all data sharing practices described elsewhere in this Privacy Policy.

Mobile information is shared only with:

  • The specific home-service contractor you are contacting (as the purpose of the service)
  • Our SMS infrastructure provider (Twilio) solely for the purpose of delivering the messages you requested
  • Law enforcement, if required by valid legal process

Message frequency and rates

Message frequency varies, typically 1-6 messages per service inquiry. Message and data rates may apply based on your mobile carrier plan. CraftsmenLeads does not charge for SMS messages.

Opt-out

You may opt out of SMS at any time by replying STOP to any message. You will receive one confirmation message acknowledging the opt-out. No further messages will be sent to your number unless you re-subscribe by replying START or by re-submitting the consent form.

Help

Reply HELP to any message to receive contact information and a description of the program.

Access and deletion

You may request deletion of your mobile information and opt-in records by emailing support@craftsmenleads.com with the subject line "SMS Data Deletion Request" from the email address associated with your inquiry.

1. Information We Collect

1.1 From Clients (Business Customers)

  • Business name, address, and contact information
  • Business license and certification details
  • Service areas and operating hours
  • Billing and payment information (processed by Stripe)
  • Account credentials (managed by Supabase Auth)
  • FAQ entries and business-specific configuration

1.2 From Consumers (Callers)

  • Phone number (from the missed call)
  • Name, address, and contact preferences (if provided during SMS conversation)
  • Service need description and urgency level
  • Appointment preferences
  • Full SMS conversation transcripts
  • Consent and opt-out records

1.3 From Website Visitors

  • IP address and approximate geolocation
  • Browser type and version
  • Device type and operating system
  • Pages visited, referral source, and session duration
  • Cookies and similar tracking technologies (see our Cookie Policy)

2. How We Use Information

  • Service delivery: Processing missed calls, conducting AI-powered SMS conversations, qualifying leads, and booking appointments on behalf of our clients
  • Account management: Billing, support, onboarding, and client communication
  • Service improvement: Analyzing conversation quality, AI performance scoring, drift detection, and platform reliability monitoring
  • Legal compliance: TCPA compliance verification, consent record-keeping, opt-out processing, and responding to legal requests
  • Security: Fraud detection, abuse prevention, and protecting the integrity of the Service

3. AI Processing Disclosure

Voxilo uses artificial intelligence (powered by xAI's Grok and Anthropic's Claude APIs) to conduct voice conversations with consumers who call our clients' business phone numbers. Key facts about our AI processing:

  • Voice conversations are conducted by an AI agent, not a human
  • At the start of every call, the AI discloses the automated nature of the interaction
  • The AI does not provide technical advice, diagnoses, or emergency guidance
  • Consumers may request human follow-up at any time during the conversation
  • Conversation data is processed by xAI and Anthropic APIs but is not used to train general-purpose AI models
  • All AI interactions are subject to human oversight and quality scoring

Voxilo does NOT use your conversation data, personal information, or any client data to train general-purpose AI models. Conversation data is processed by xAI and Anthropic APIs solely for the purpose of generating real-time responses. xAI's and Anthropic's commercial API terms prohibit the use of API inputs/outputs for model training.

We may use anonymized, aggregated conversation metrics (e.g., average conversation length, resolution rates) to improve our service. This aggregated data cannot be linked back to any individual.

4. How We Share Information

We do not sell, rent, or trade personal information. We share data only as follows:

  • With the specific client: Consumer lead data (name, phone, service need, conversation summary) is shared only with the specific business the consumer called
  • Service providers: Anthropic (AI processing), Twilio (SMS delivery), Stripe (payment processing), Supabase (database hosting), Vercel (website hosting), and Railway (application hosting)
  • Legal requirements: When required by law, subpoena, court order, or to protect our rights and safety
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

5. Data Retention

  • SMS conversation transcripts: 90 days from conversation close
  • Lead records: 1 year from creation
  • Billing and financial records: 7 years (tax and legal requirements)
  • Consent events and compliance records: 5+ years (TCPA statute of limitations)
  • Opt-out records: Retained indefinitely to ensure continued compliance
  • Website analytics: 24 months

6. Consumer Rights

6.1 All Consumers

  • Opt out of SMS communications at any time by replying STOP
  • Request a copy of your conversation transcript
  • Request deletion of your personal information (subject to legal retention requirements)

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information

6.3 EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. Contact us at legal@voxilo.ai to exercise these rights.

Do Not Sell or Share My Personal Information

Voxilo does NOT sell, rent, or share your personal information with third parties for their own marketing or advertising purposes. We have not sold personal information in the preceding 12 months. Because we do not sell personal information, we do not offer a "Do Not Sell" opt-out mechanism — there is nothing to opt out of.

If our data practices change in the future, we will update this policy, provide notice, and implement the required opt-out mechanisms before any such sharing begins.

7. Security Measures

We implement defense-in-depth security measures:

Encryption

  • TLS 1.3 for all data in transit (API, webhooks, dashboard, SMS relay)
  • AES-256-GCM encryption for personally identifiable information at rest (phone numbers, names)
  • Supabase-managed transparent encryption for all database storage

Access Controls

  • Row-Level Security (RLS) on every database table containing client or consumer data — no client can access another client's data
  • Role-based access: admin, operator, client — each with scoped permissions
  • Mandatory multi-factor authentication (MFA) for administrative accounts
  • All API inputs validated with schema enforcement before processing
  • All webhook endpoints verify cryptographic signatures before processing

Monitoring & Audit

  • Structured logging with correlation IDs for every request
  • Consent events stored in append-only audit logs (never modified or deleted)
  • Compliance engine decisions logged for every outbound message
  • Regular security assessments and dependency vulnerability scanning

Infrastructure

  • Hosted on SOC 2-compliant infrastructure providers (Supabase, Railway, Vercel)
  • Separate environments for development, staging, and production
  • Secrets managed via environment variables with quarterly rotation

We do not claim SOC 2 certification for Voxilo itself. Our infrastructure providers maintain their own SOC 2 compliance.

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at legal@voxilo.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify clients of material changes via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-accepted standard for how to respond to DNT signals, our Website does not currently respond to DNT browser signals. We will update this policy if a uniform standard is established.

Online Tracking and Third-Party Analytics

Voxilo does NOT use RB2B, Retention.com, or similar visitor de-anonymization services to identify website visitors. We do not use tracking pixels, fingerprinting technologies, or cross-site tracking for advertising purposes.

We use the following analytics tools:

  • Vercel Analytics: Anonymous page-view and performance metrics
  • Supabase: Authentication session management

These services may set cookies as described in our Cookie Policy. We do not participate in advertising networks or behavioral targeting programs.

If you wish to opt out of online tracking by third-party analytics providers, you may:

  • Configure your browser to reject non-essential cookies
  • Use browser extensions such as Privacy Badger or uBlock Origin
  • Visit https://optout.aboutads.info for industry-wide opt-out tools

Data Processing

For business clients who require a Data Processing Addendum (DPA) to comply with GDPR, CCPA, or other data protection regulations, we offer a standard DPA. Contact legal@voxilo.ai to request a copy, or visit our DPA page at voxilo.ai/legal/dpa.

Sub-Processors

We use the following third-party service providers to operate the platform:

ProviderPurposeData Processed
Anthropic (Claude API)AI conversation engineSMS content, lead details
TwilioSMS deliveryPhone numbers, message content
StripePayment processingClient billing information
SupabaseDatabase & authenticationAll platform data
VercelWebsite hostingWebsite analytics
RailwayApplication hostingApplication data
ResendTransactional emailClient email addresses

We will update this list and notify affected clients at least 30 days before adding a new sub-processor that handles personal information.

Data Portability

You may request a copy of your data in a commonly used, machine-readable format (JSON or CSV). Upon account termination, we provide a final data export within 30 days at no charge. Contact support@voxilo.ai to request a data export.

International Data Transfers

Voxilo is based in the United States and provides services primarily to US-based local businesses and their US-based customers. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our legal mechanism for data transfers.

Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected individuals within 30 days of discovering the breach
  • Notify applicable state authorities as required by law (including the New York Attorney General under the NY SHIELD Act)
  • Provide a description of the breach, the types of information involved, and steps you can take to protect yourself
  • Offer appropriate remediation measures

We maintain an incident response plan and conduct regular security assessments to prevent and detect breaches.

10. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Voxilo
(operated by CraftsmenLeads LLC, Wyoming)
30 N Gould St, Suite R
Sheridan, WY 82801
Email: legal@voxilo.ai
Website: voxilo.ai